Lab Guide on Windows 10 dd

Lab Guide: Securing a Windows 10 VM

In this lab, you will walk through some simple ways to secure a Windows 10 installation and some of the applications on it. As security professionals in training, this will be a great learning experience for the servers you’ll be responsible for in the future!

Step 1: Download the VM

The insecure VM can be downloaded from here: https://drive.google.com/open?id=1VcOnn4O0uwX7mZMSpnCjbAEhqwz91A6r

You will need the 7-Zip program to decompress the VM file. Once this is done, Double-click the .vmx file inside the folder using VMWare, and then start the VM.

Step 2: Log In

These are the accounts at your disposal:

• Ookie (Administrator)

  • Username: Ookie

  • Password: P4triots

• Pokie (Administrator)

  • Username: Pokie

  • Password: Chocolate

• Rocky (Standard Account)

  • Username: Rocky

  • Password: Peppermint

• Rookie (Standard Account)

  • Username: Rookie

  • Password: Lollipop

• Kooky (Bad Actor)

  • Username: Kooky

  • Password: Cookie

Ookie and Pokie are the only administrators. Rocky and Rookie are legit users.

Don’t Delete the Champlain account.

Step 3: Deleting Malicious Files

Background: This machine is strictly for web-surfing, so nobody should be storing files of any sort on it. We can use Powershell to search for files that have been downloaded onto the system.

1. Do you know how to find all the media from Windows, without knowing the exact directory it’s in?

   1. Hit the Windows Icon in the bottom left and search for “Windows PowerShell ISE”. Run this as an administrator.

   2. Next, type the following command: Get-ChildItem -Path C:\ -Include *.ogg*,*.flac*,*.mp4* -Recurse -ErrorAction SilentlyContinue

• • 1. Get-ChildItem: Gets the files and folders in a file system drive

    2. -Path: Specifies the desired location

    3. -Include: Shows only the files that are being searched for

    4. -Recurse: Shows the directory’s contents, including the contents of any subdirectory within

    5. -ErrorAction: Decides how to respond when an error is thrown

    6. SilentlyContinue: Tells the computer that you don’t want to see the error

SUBMIT: Take a screenshot that shows the output of a command to demonstrate the files have been removed. (1 point)

1. Do you know how to delete all the media that you have found?

   1. After the first script, type: Get-ChildItem -Path C:\ -Include *.ogg*,*.flac*,*.mp4* -Recurse -ErrorAction SilentlyContinue | foreach { Remove-Item -Path $_.FullName }

• • 1. Foreach: A loop statement. Basically, each time it finds what it is looking for, it will execute the commands it is given.

    2. $_.FullName: The full path name to a file and not just the file’s name itself.

SUBMIT: Once you’ve done this, re-run the command from step 1b. Take a screenshot of the results of this command, and submit it as part of your lab. (1 point)

Step 4: Password Policies

Background Knowledge: We worked with setting password policies in an earlier lab,

1. Do you know how to set the password policy for local users?

   1. Click on the Windows Icon in the bottom left and search.

   2. Local Security Policy (Right-click and run as an Administrator)

   3. Click on Account Policy

   4. Click on password policies

   5. Edit the different settings:

      1. Change the password history

      2. Password Complexity

      3. Minimum/Maximum Age

SUBMIT: After setting your password policies appropriately, open up a command prompt and run the command “net accounts”. Take a screenshot of the results and submit them as part of your lab. (1 point)

Step 5: File Storage

Background Knowledge: File shares can open up a lot of holes for an attacker (improper access to certain documentation, spreading of infected media throughout the system/network, etc.), so we must monitor their usage carefully.

1. Do you know how to change the file share access?

   1. To find file shares on a computer, open up command prompt and type in net share.

• 1. Look for the file share that was created and where it is located in the computer

     1. Since “Ookie” is an administrator, their account should not have shares. It could expose very sensitive information or allow someone to gain control of their account all from a remote location. Accordingly, you’d want to disable that share.

     2. How do you know to look for it? Keep in mind the usernames you see with shares. If an administrator account has a share, disable it.

• 1. Right-click on the Folder that is being shared and select properties. In this case right-click on: c:\users\ookie

  2. Click on the “Sharing” tab and select “Sharing”

  3. Change the permission settings or remove people who shouldn’t have access.

  4. A better option is to just disable file share for the entire directory. Click on “Advanced Sharing” on the “Sharing” tab and de-select “Share this folder.” and click “OK.”

SUBMIT: Once you’ve done this, run the ‘net share’ command again from a command prompt. Take a screenshot of the results and submit it as part of your lab. (1 point)

SUBMIT: Answer the following question: What does the screenshot output show? (1 point)

The screenshot output shows that the C:\Users\Ookie directory was removed from the file share. This means other users will not be able to access the C:\Users\Ookie directory.

1. Do you know how to Set a password required to access the file share?

   1. Open File Explorer and locate the file share.

   2. Right-Click on File Share and select properties.

   3. Click on “Network and Sharing Center” link in the bottom of the properties page.

   4. Open “All Networks” Tree

   5. Select “Turn on password protected sharing”

SUBMIT: Take a screenshot of the program window showing that password-protected sharing has been enabled, and submit it as part of your lab. (1 point)

SUBMIT: Answer the following question: What does the screenshot output show? (1 point)

This screenshot shows that password protection is enabled on the file share.

Step 6: Web Server Hardening

Background Knowledge: Web servers are enticing targets for attackers, so we want to give them as little information as possible about them (remove any information about the server, remove the ability to see what files are indexed on the server, etc. A web server’s basic function is to host web pages for others to access.

1. Do you know how to find the Apache Web Server if you don’t know what directory it’s in?

   1. Search for services

• 1. Find the service and right click on it and select properties

• 1. Look for the Path to Executable in the General Tab

• 1. If this doesn’t work, you can always use PowerShell. Type in the command show below.

• • 1. Get-WMIObject: gets instances of Windows Management Instrumentation (WMI) classes or information about the available WMI classes.

    2. -Class Win32_Service: Selects the given class “Win32_Service” and displays the running services.

    3. | select Name, PathName: Filters the information that is found from the section before and configures it by pulling and displaying only the given fields. In this Instance that would be Name and PathName, which show the name of the Service and the full path to where it is in the machine.

  • Look for the Apache Service listed

1. Do you know how to harden an Apache Web Server in case you need one?

   1. Open up File Explorer and find the Web Server

• 1. Go to the conf directory and open up httpd.conf.

• • 1. If you can’t find httpd.conf, then the file extensions are hidden for files (.conf in this case). To display hidden files then go to the view tab and change that to show hidden by clicking “File name extensions” and “Hidden items” see the screenshot below with the settings on the right-hand side.

• 1. At the bottom of the file add:

     1. ServerTokens Prod

        1. Tells apache to only return Apache in the Server header, returned on every page request.

     2. ServerSignature Off

        1. Tells apache not to display the server version on error pages, or other pages it generates.

• 1. Go to services (By searching from the start menu)

  2. Find apache in the list

• 1. Click on the restart button in the left field

SUBMIT: Take a screenshot of the httpd.conf file with the ServerTokens and ServerSignature options set, and submit this as part of your lab. (1 point)

1. Do you know how to Disable Directory browsing? Directory browsing could inadvertently expose sensitive documents or documents you don’t want the entire Internet to have access to.

• 1. Navigate to the web server’s root directory (C:\Apache24\htdocs), and create a directory “test” in this folder. (Right-Click => New => Folder and name it: test

  2. Open a web browser and browse to http://localhost/test/. You should see a screen similar to the screenshot below. (NOTE: localhost is a name for your local computer. It is has a default address of 127.0.0.1 which every computer has, though that IP is only accessible on your physical machine, meaning another person on the LAN cannot access it directly.

SUBMIT: Take a screenshot of http://localhost/test/, and submit it as part of your lab. (1 point)

• 1. To disable directory browsing, return to the Apache directory (C:\Apache24).

  2. Open the httpd.txt file in the conf directory

  3. Search for <Directory “${SRVROOT}/htdocs”>

• 1. Change Options Indexes FollowSymLinks to Options None FollowSymLinks

• 1. Save and close the file

  2. Restart Apache from services

  3. Browse to http://localhost/test/

SUBMIT: Take a screenshot of what you see at http://localhost/test/ now, and submit it as part of your lab. (1 point)

Step 7: FTP Server

Background Knowledge: FTP stands for File Transfer Protocol, an FTP server is a computer that sends files over the network. But this is a browsing machine only! We’re going to have to turn off this server.

1. How to find an ftp server?

   1. Using the command mentioned earlier

• 1. Search through the showed list and find the FileZilla Service.

• 1. This will show you where on the computer you can find the main .exe that is running the server.

1. How to Stop/Uninstall FileZilla

   1. Go to the location that you discovered earlier

• 1. As you see above. If you double click on the Server, it will offer to stop the server, and at the bottom, you see the option to uninstall the service

SUBMIT: Once you’ve uninstalled FileZilla, re-run the command from Step 1a. Take a screenshot of the results, and submit that as part of your lab. (1 point)

SUBMIT: Answer the following question: What does the screenshot output show? (1 point)

This screenshot shows that the FileZilla program has been removed from the system. The programs shown are all the programs which start with F.

Step 8: Viewing Event Logs

Background Knowledge: Event logs are basic logs that are analyzed and monitored for higher level “network intelligence.” They are used to monitor the ins-and-outs of a network. They allow the admin to see all that is happening, whether it be abnormal, malicious, or normal activity.

1. How to view Event Logs?

   1. Open up Powershell ISE in administrator mode (Right click on powershell)

• 1. Type Get-EventLog -List

• • 1. This will show all the different Event Logs that you can view.

  • Type “Get-EventLog -LogName Security -Newest 30”, and run this command.

    1. -LogName: Is the Log Category that we are viewing

    2. -Newest: Shows how many of the most recent logs you want to see

SUBMIT: Take a screenshot of the results of this command, and submit it as part of your lab. (1 point)

Step 9: Renaming the Guest and Administrator Accounts

A good practice is to rename the administrator and guest account. Be sure it is not named something that makes it appear to have admin privileges like “chief” or “admin.” Instead use the same naming scheme for users.

Some exploits will take advantage of the fact that the Administrator accounts are left to their defaults on systems so this can help slow down an attack or prevent it from escalating privileges.

1. How can you change an account’s name?

   1. Go to https://www.top-password.com/blog/rename-windows-local-administrator-or-guest-account/ , and use Method 1 to change the name of the administrator account.

SUBMIT: Take a screenshot showing the results of the wmic command you ran, and submit this as part of your lab. (1 point)

SUBMIT: Answer the following question: What does the screenshot output show? (1 point)

The screenshot output shows that the Administrator account has succesfully been changed to Aokie. Aokie is a subtle way to tell users familiar with the naming scheme that it is an Adminstrator account.

Step 10: Installing Helpful Applications

Install Ninite (https://ninite.com/) and download Chrome and AVG.

SUBMIT: Provide a screenshot showing that Ninite was installed with the requested applications. (1 point)

Step 11: Admin Group Access

Using the instructions found at https://winaero.com/blog/add-remove-user-group-windows-10/, ensure that Ookie and Pokie are the only administrators on the machine (i.e., add or remove permissions from users as necessary).

SUBMIT: What steps did you take to modify users in the Administrator group? (1 Point)

I used the lusrmgr program to delete Kooky from the users in the group.

SUBMIT: Provide a screenshot showing the results of the command:

net localgroup Administrators (1 point)

SUBMIT: What does the screenshot output show? (1 point)

This screenshot shows that the only Administrator accounts on this system is Administrator(Should be changed to Aokie), champlain, Ookie, and Pokie. All these accounts should have admin access.